Cloudflare IP ranges don't support HTTPs?

What is the name of the domain?

maplefighters.io

What is the error number?

403

What is the error message?

Forbidden

What is the issue you’re encountering

Deny all connections except from Cloudflare IP ranges blocks HTTPs connections.

What steps have you taken to resolve the issue?

Allow all connections and not only connections from Cloudflare IP ranges (proxy).

What are the steps to reproduce the issue?

  1. Start nginx server (:443 with SSL/TLS enabled).
  2. Deny all connections.
  3. Allow connections only from Cloudflare IP ranges.

I’m using Cloudflare IP ranges that copied from here, an official website of Cloudflare: IP Ranges

1 Like

Sounds like you didn’t allow port 443 but only 80
What is your firewall config exactly?

1 Like

It’s an Ubuntu Server (DigitalOcean Droplet). The Nginx server is running inside a Docker container.

This is the firewall config, but again, Nginx is running inside a Docker container:

user@maplefighters:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
2375/tcp                   ALLOW       Anywhere                  
2376/tcp                   ALLOW       Anywhere                  
22/tcp (v6)                LIMIT       Anywhere (v6)             
2375/tcp (v6)              ALLOW       Anywhere (v6)             
2376/tcp (v6)              ALLOW       Anywhere (v6) 

When I remove deny all in Nginx config [1] [2] - HTTPs works.

It means firewall config isn’t the issue, but the Cloudflare IP ranges don’t allow HTTPs connection?

[1] maple-fighters/src/frontend/nginx.conf at main · codingben/maple-fighters · GitHub
[2] maple-fighters/src/frontend/cloudflare-ips.conf at main · codingben/maple-fighters · GitHub

As a proof, I’ve added 443 to the server firewall:

user@maplefighters:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
2375/tcp                   ALLOW       Anywhere                  
2376/tcp                   ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
22/tcp (v6)                LIMIT       Anywhere (v6)             
2375/tcp (v6)              ALLOW       Anywhere (v6)             
2376/tcp (v6)              ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)  

It doesn’t work work. I’m allowing connections only from Cloudflare IP ranges. I’m not able to establish a connection to the server using HTTPs (It worked with HTTP before).

@WalshyMVP Please try now to access the https://maplefighters.io by yourself and you’ll see 403 Forbidden error.

The reason I prefer connections only from Cloudflare IP ranges is for network security. Am I right that I do it, at all? Is it more safe to allow connections from Cloudflare IP ranges?

The 403 is from your nginx, so it is obviously working.

3 Likes

Can you check that you are using the Full (Strict) SSL mode on Cloudflare?

1 Like

The 403 is from your nginx, so it is obviously working.

Yes, because I want to allow connections only from Cloudflare IP ranges that seems like don’t support HTTPs connections.

Can you check that you are using the Full (Strict) SSL mode on Cloudflare?

Yes, I’ve already enabled Full (Strick) SSL mode on Cloudflare. This is how it works without allowing connections only from Cloudflare IP ranges.

Ok, I understand now that you want to block all other IPs in Nginx, not in ufw/iptables.

I would recommend to only allow Cloudflare IPs to make connections on port 80/443 in ufw. But if you want to block in Nginx, you need to put the deny all rule at the end, as it works on a first match principle.

https://nginx.org/en/docs/http/ngx_http_access_module.html

3 Likes

@Laudian Thank you very much! you helped me a lot, I really appreciate it (and also very quick responses!).

But if you want to block in Nginx, you need to put the deny all rule at the end, as it works on a first match principle.

I’ve moved the deny all to the end after allow rules and it works now! I also checked Nginx logs and see only connections from Cloudflare servers.

I would recommend to only allow Cloudflare IPs to make connections on port 80/443 in ufw.

You’re absolutely right, I should do it this way. Thanks again :slight_smile:

1 Like

I’m currently using port 80 for HTTP at 192.168.1.100, but I haven’t configured port 443. My firewall setup only allows port 80.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.